gentoo resync : 10.11.2019

8 files changed, 222 insertions, 17 deletions

diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest
index 78865332cded..18510522be00 100644
--- a/metadata/glsa/Manifest
+++ b/metadata/glsa/Manifest
@@ -1,23 +1,23 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA512
 
-MANIFEST Manifest.files.gz 449006 BLAKE2B ab32207f84ac7631fd8d236fe1aa63e88587b06e44eb1809cd72818ffb95ebb8390c250d5ab1ac5b1ac80968c4cef20897786383d93e0f140f7f1be52e7cb314 SHA512 d97241a68516a4c88a2d1afe7dac7dc36b0124cf3186aca88c595b3e66875bc4c66530c9b1c5221bf584a799c385182af538ea678c6f87418d9749030c73d619
-TIMESTAMP 2019-11-03T15:08:53Z
+MANIFEST Manifest.files.gz 449650 BLAKE2B 6dfe5b538aa8b27b7721085ca1d3a95579aa48824a42a42364ccb72b1f7baa7bc26c011da790724df4295cd519d468b71fae3df528eab5759be66024501331e7 SHA512 03849ba6f05a9e0d0908f12dafc8617ccb9340589e1896fd94eee10ac300f2dd1f1ad6a5665cae101a1d1bde150bd80adb13e634a464090c266b5a2d73696783
+TIMESTAMP 2019-11-10T12:38:51Z
 -----BEGIN PGP SIGNATURE-----
 
-iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAl2+7YVfFIAAAAAALgAo
+iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAl3IBNtfFIAAAAAALgAo
 aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx
 RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY
-klA/hQ//Q90V3h1hPpFXA3KueeVXekIVjVAOoiEaYpjsn0KP8JVZGAsMjyF2KOfV
-Q2zX1Pfb2KSPI/RR1z92BMd+CBtLcQvx6I0vhk0ZCGk/6cyr95q4a4ekeA+V3xOU
-HqYK4ary3q5RD2ns79nCpMtOYH6k4g6W9DGX0RRdMKW44c110o3XjDHgtQcc4SKx
-83Y/oAk8nmQ3J1TiBIuF2Rz5dOQPgqxI3ojcIteIHYnC4vRZX7HKCN9dGd3JFzv8
-jDxHWeTv5gCEfz2qSsU6oMA3cEfhOQv/8wPut9BtkOIQxgVcDp/ofIVRH6ijul9n
-UNgtF/+4ERwsADw+VABy+B1AlU+ivz4xclnjeaYEWivt2kc+17KFgTR5eM7rooj9
-6xmm6OzI/ZSiblWfo7lquiqUQErZpjLxJOFck8JJnXmHpYdQfkrAm2+d1/Us/Dl7
-XcQpC/dSz8rDnRgjhBVjn8q6tJs1o/4nI4EvX4au5KLOYZueRE5wTNuSGRHrS/sM
-481wDpIecIRa/lIocojNSfxVL8wNSp17KcjMfiev2yDj9/cb6N5d9Ae/QzGLiXPc
-fM6/FyEbkUq7Lk4kOIiD5+5COdCQ32uyUaqP1zu5NPI9XzDaQte8TyB6OeUu59UX
-yjHGtaYKKqs4SiIlbbRKkHUDUis7+Xh8AyQgFYaTh4ZlpNWJ2a0=
-=VLza
+klAmrw/8DDnp1Ulnol/LTLw4vdpOxPFbJ3z0l/9Y2xlN+iU3ypJTwTtrlkgS3Oka
+6zelLJq2t3XQI3ypcq4WlGWb9dTmDHnwTYMt75U8gX1VgqO15z8HyHVy626r4ZQ2
+EEPWdoN9kG8E0XjJQpSq6WXc/q6dAOuQY9zsiVadDofz5Ffb92fquCqrqZG7Wz3h
+AgA8C8tTNwRINnwQDEZt4F0Mtg5/pgubA5sJsMrkvFymh78qtVOSrGuk/u0mpqxr
+KgapGqMOrt/Uy4JsvRb9WAdkBPpVc/MFoKoZ2w8if0BTFrz6NasSRqy7GVN8Tkzh
+rA0IY9C05YzRItFSDpxP/UgHxY/aIOJ/WIqtikbKqspqgxfHmpkOVJG8kRjS298g
+R0S4EhoOxVK37E0TEgoJycfp5OY7oZyMxV5V4BhLeoAxuh8Vgf+NQLZIIUQzUiJP
+6alKZGSGYggPG+qgU7tm8dfG9FMfemLSfRc+4Mf73U0hGFbUyWvOwtTtuEYueGXK
+KdCRtfnVYOBbFB5OKNWe2r3NpDZgLF6ETc6DvTfQWRVLuSqztQM8in4Drui3weSt
+6HA4cQ+tq2HbBCsl9vdB6Q7S5YbROpkKOjK8qoOO595ZiwgTrpph8t2739Q2vm6t
+SKKKMNOxYtESFr4/ruvqLYWNstzVx+8nD9xP2vdY4JeAmJyXk0w=
+=VA/Y
 -----END PGP SIGNATURE-----
diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz
index 676b6a27efd7..e9c74c8bb513 100644
--- a/metadata/glsa/Manifest.files.gz
+++ b/metadata/glsa/Manifest.files.gz
diff --git a/metadata/glsa/glsa-201911-01.xml b/metadata/glsa/glsa-201911-01.xml
new file mode 100644
index 000000000000..e87f7485d76b
--- /dev/null
+++ b/metadata/glsa/glsa-201911-01.xml
@@ -0,0 +1,55 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201911-01">
+  <title>OpenSSH: Integer overflow</title>
+  <synopsis>An integer overflow in OpenSSH might allow an attacker to execute
+    arbitrary code.
+  </synopsis>
+  <product type="ebuild">openssh</product>
+  <announced>2019-11-07</announced>
+  <revised count="1">2019-11-07</revised>
+  <bug>697046</bug>
+  <access>remote</access>
+  <affected>
+    <package name="net-misc/openssh" auto="yes" arch="*">
+      <unaffected range="ge">8.0_p1-r4</unaffected>
+      <vulnerable range="ge">8.0_p1-r2</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>OpenSSH is a complete SSH protocol implementation that includes SFTP
+      client and server support.
+    </p>
+  </background>
+  <description>
+    <p>OpenSSH, when built with “xmss” USE flag enabled, has a
+      pre-authentication integer overflow if a client or server is configured
+      to use a crafted XMSS key.
+    </p>
+    
+    <p>NOTE: This USE flag is disabled by default!</p>
+  </description>
+  <impact type="normal">
+    <p>A remote attacker could connect to a vulnerable OpenSSH server using a
+      special crafted XMSS key possibly resulting in execution of arbitrary
+      code with the privileges of the process or a Denial of Service condition.
+    </p>
+  </impact>
+  <workaround>
+    <p>Disable XMSS key type.</p>
+  </workaround>
+  <resolution>
+    <p>All OpenSSH users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose
+      "&gt;=net-misc/openssh/openssh-8.0_p1-r4"
+    </code>
+  </resolution>
+  <references>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-16905">CVE-2019-16905</uri>
+  </references>
+  <metadata tag="requester" timestamp="2019-10-26T14:48:28Z">whissi</metadata>
+  <metadata tag="submitter" timestamp="2019-11-07T19:01:23Z">whissi</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201911-02.xml b/metadata/glsa/glsa-201911-02.xml
new file mode 100644
index 000000000000..8d4d4b4254c8
--- /dev/null
+++ b/metadata/glsa/glsa-201911-02.xml
@@ -0,0 +1,49 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201911-02">
+  <title>pump: User-assisted execution of arbitrary code</title>
+  <synopsis>A buffer overflow in pump might allow remote attacker to execute
+    arbitrary code.
+  </synopsis>
+  <product type="ebuild">pump</product>
+  <announced>2019-11-07</announced>
+  <revised count="1">2019-11-07</revised>
+  <bug>694314</bug>
+  <access>remote</access>
+  <affected>
+    <package name="net-misc/pump" auto="yes" arch="*">
+      <vulnerable range="le">0.8.24-r4</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>BOOTP and DHCP client for automatic IP configuration.</p>
+  </background>
+  <description>
+    <p>It was discovered that there was an arbitrary code execution
+      vulnerability in the pump DHCP/BOOTP client.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A remote attacker, by enticing a user to connect to a malicious server,
+      could cause the execution of arbitrary code with the privileges of the
+      user running pump DHCP/BOOTP client.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>Gentoo has discontinued support for pump. We recommend that users
+      unmerge pump:
+    </p>
+    
+    <code>
+      # emerge --unmerge "net-misc/pump"
+    </code>
+  </resolution>
+  <references>
+    <uri link="https://bugs.debian.org/933674">Debian Bug Report 933674</uri>
+  </references>
+  <metadata tag="requester" timestamp="2019-10-26T18:02:26Z">whissi</metadata>
+  <metadata tag="submitter" timestamp="2019-11-07T19:05:32Z">whissi</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201911-03.xml b/metadata/glsa/glsa-201911-03.xml
new file mode 100644
index 000000000000..0d7dff81e1d8
--- /dev/null
+++ b/metadata/glsa/glsa-201911-03.xml
@@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201911-03">
+  <title>Oniguruma: Multiple vulnerabilities</title>
+  <synopsis>Multiple vulnerabilities have been found in Oniguruma, the worst of
+    which could result in the arbitrary execution of code.
+  </synopsis>
+  <product type="ebuild">oniguruma</product>
+  <announced>2019-11-07</announced>
+  <revised count="1">2019-11-07</revised>
+  <bug>691832</bug>
+  <access>local, remote</access>
+  <affected>
+    <package name="dev-libs/oniguruma" auto="yes" arch="*">
+      <unaffected range="ge">6.9.3</unaffected>
+      <vulnerable range="lt">6.9.3</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>Oniguruma is a regular expression library.</p>
+  </background>
+  <description>
+    <p>Multiple vulnerabilities have been discovered in Oniguruma. Please
+      review the CVE identifiers referenced below for details.
+    </p>
+  </description>
+  <impact type="high">
+    <p>A remote attacker, by enticing a user to process a specially crafted
+      string using an application linked against Oniguruma, could possibly
+      execute arbitrary code with the privileges of the process or cause a
+      Denial of Service condition.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All Oniguruma users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=dev-libs/oniguruma-6.9.3"
+    </code>
+  </resolution>
+  <references>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13224">CVE-2019-13224</uri>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13225">CVE-2019-13225</uri>
+  </references>
+  <metadata tag="requester" timestamp="2019-09-12T21:09:00Z">whissi</metadata>
+  <metadata tag="submitter" timestamp="2019-11-07T19:07:37Z">whissi</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201911-04.xml b/metadata/glsa/glsa-201911-04.xml
new file mode 100644
index 000000000000..8793df1008cf
--- /dev/null
+++ b/metadata/glsa/glsa-201911-04.xml
@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201911-04">
+  <title>OpenSSL: Multiple vulnerabilities</title>
+  <synopsis>Multiple information disclosure vulnerabilities in OpenSSL allow
+    attackers to obtain sensitive information.
+  </synopsis>
+  <product type="ebuild">openssl</product>
+  <announced>2019-11-07</announced>
+  <revised count="1">2019-11-07</revised>
+  <bug>694162</bug>
+  <access>local, remote</access>
+  <affected>
+    <package name="dev-libs/openssl" auto="yes" arch="*">
+      <unaffected range="ge">1.0.2t</unaffected>
+      <vulnerable range="lt">1.0.2t</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer
+      (SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general
+      purpose cryptography library.
+    </p>
+  </background>
+  <description>
+    <p>Multiple vulnerabilities have been discovered in OpenSSL. Please review
+      the CVE identifiers referenced below for details.
+    </p>
+  </description>
+  <impact type="low">
+    <p>Please review the referenced CVE identifiers for details.</p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All OpenSSL users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=dev-libs/openssl-1.0.2t"
+    </code>
+  </resolution>
+  <references>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-1547">CVE-2019-1547</uri>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-1563">CVE-2019-1563</uri>
+  </references>
+  <metadata tag="requester" timestamp="2019-09-12T14:09:32Z">whissi</metadata>
+  <metadata tag="submitter" timestamp="2019-11-07T19:09:02Z">whissi</metadata>
+</glsa>
diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk
index 0228db373743..e2f6f72bc9c5 100644
--- a/metadata/glsa/timestamp.chk
+++ b/metadata/glsa/timestamp.chk
@@ -1 +1 @@
-Sun, 03 Nov 2019 15:08:50 +0000
+Sun, 10 Nov 2019 12:38:48 +0000
diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit
index c9b577a39721..a101667e6fc1 100644
--- a/metadata/glsa/timestamp.commit
+++ b/metadata/glsa/timestamp.commit
@@ -1 +1 @@
-4c2e30a50e776e9ec1833c4419ce239e6d9cc178 1572001702 2019-10-25T11:08:22+00:00
+1b5ecb46a85c74babc035c5996537e2d1932cce0 1573153780 2019-11-07T19:09:40+00:00